Thursday, July 26, 2012

When you are using the Get-AD* cmdlets to generate a list of users or other objects, it is a best practice to use the Filter parameter. When you use the Filter parameter, you pass a filter directly to Active Directory when you run the cmdlet. This is more efficient than retrieving a large list of objects and then filtering them with Where-Object.

I was working through a query with Get-ADUser that would obtain a list of all disabled users from Active Directory except for two or three OUs. To do this, I was trying to use the Filter parameter as shown below.

Looks good right? Unfortunately, the filtering based on the distinguished name didn't work. It turns out that you cannot use wildcards when filtering based on the distinguished name. I also tried using the CanonicalName property, but it is a calculated property generated by Get-ADUser. So, CanonicalName cannot be used for a filter. The answer is to use Where-Object.

Tuesday, July 24, 2012

You may at some point have a need to query recently created mailboxes. This script queries mailboxes created within the last seven days.

$date=(get-date).adddays(-7)

Get-Mailbox –Filter
{WhenCreated –gt $date}

The logic of the script is this:

Set the variable $date equal to the current date minus 7 days.

Get a list of mailboxes with a WhenCreated attribute greater than the date 7 days ago

You can use the same basic structure for other objects such as Active Directory users by substituting the Get-ADUser cmdlet for the Get-Mailbox cmdlet.

$date=(get-date).adddays(-7)

Get-ADUser –Filter
{WhenCreated –gt $date}

Update (Dec 2015):
The above syntax actually doesn't work. Not sure how I missed it when I first wrote the post. Today when I was writing a script using this syntax, it returned all mailboxes no matter what. So, the $date variable wasn't being properly evaluated. I'm leaving the above example so that people can see what syntax not to use.

Use the following syntax instead:

$date=(get-date).adddays(-7)

Get-Mailbox –Filter "WhenCreated –gt '$date'"

Apparently when building a filter with a variable, you need to enclose the whole filter in double quotes and the variable in single quotes. This syntax worked properly for me.

Wednesday, July 18, 2012

I ran into a first yesterday. As seems to happen on a somewhat regular basis, a client had a virus infected computer. One of tools I normally rely on is TDSSKiller.exe from Kaspersky. It removes most rootkits that infect the boot sector of a hard drive. And is one of the few that checks the boot sector of non-boot drives. So, you can use it when a drive is externally attached.

In this case, TDSSKiller.exe identified Rootkit.boot.SST.b. When the software attempted to clean it, it didn't display an errors, but if you looked at the log it indicated that it couldn't be cleaned.

Some web sites suggested downloading Kaspersky Rescue Disk to remove it. This is a bootable linux CD/USB image. Basically, it accomplishes the same thing as placing the drive in an external case. It prevents any malware on the drive from loading in the boot process. This tool also found the rootkit, but couldn't remove it.

I also tried booting up in the XP recovery console and using FixMBR, which appeared to work, but the rootkit was still there.

The final fix was referenced by a few web sites. This rootkit created its own partition that it inserted into the boot process. None of the repair tools understood the boot process and therefore could not repair it.

On this computer, the OS partition was 40GB and a 100 MB parition was created after that. The 100MB partition was marked active and therefore was used to start the boot process. When viewed from within Disk Management, the partition type was unknown. The fix was to remove the extra 100 MB partition and then mark the OS partition as active. After this, the rootkit was gone.

Based on reading other web sites, the size of this partition may vary. I saw references to a small partition that is only a few MB. I'm guessing the virus authors changed it to be 100 MB to make it confusing with the 100 MB partition used by Windows Vista and Windows 7. Also, I can only assume that a larger partition provides more space to hide malware that is introduced during the boot process.

After removing the rootkit, there was still a bunch of other malware that I removed with MalwareBytes and SuperAntiSpyware. In the end the only thing lost was some Start Menu shortcuts.

Realistically, I should have just wiped it and rebuilt it, but after putting in an hour or so, it became competitive and I just wanted to win.

I shouldn't need to say this, but do not deploy this software in a production environment. This software is for testing only. Who knows what these schema extensions impact when you want to deploy the release version of the product.

The licensing for Exchange 2010 has been changed to allow multi-mailbox search with standard CALs instead of enterprise CALs. Previous to this change any mailbox searched with multi-mailbox search required an enterprise CAL.

This is a pretty big deal for a few reasons. First, it's handy to use multi-mailbox search when recovering items for single item recovery. Much nicer interface than straight PowerShell. Secondly, it's also nice when users complains that they've lost a message and you can go a search their mailbox without connecting directly to their mailbox.

You still need an enterprise CAL for personal archives, legal hold, per user/group journaling, and custom retention policies.

Friday, July 13, 2012

I recently updated the certificate for OWA on an SBS 2008 installation. That went fine and I deleted the old certificate. A few weeks later, we were informed that Remote Web Workplace was not working. When users attempted to connect to their computer they got a Javascript dialog box with error 50331688.

The cause of the issue is a certificate not being installed for the Terminal Services gateway. The Terminal Services gateway is used by RWW. The fix is to select a valid certificate and then all is good.

Thursday, July 12, 2012

Apparently a few years back, Dell started splitting large ISO files into smaller pieces to make downloading easier. The page I was downloading from said they needed to be joined, but did not provide the instructions.

Here are the instructions for joining two DVD files (OM_6.5.0_SMTD_A01.iso.001 and OM_6.5.0_SMTD_A01.iso.002):

This copies the two existing files into a single new file. Based on the file names, they should be selected in the correct order. However, if they are not, you can use this modified command that specifies the order:

Tuesday, July 10, 2012

The Exchange Team has posted a nice series of blog articles about the details of backing up Exchange Server 2010. The articles discuss exactly how VSS backups work, backups of active database copies, and backups of passive database copies.

If you downloaded the most recent version (14.3.38.2) of the Exchange 2010 Management Pack released in June of 2012, it can cause mailboxes to be randomly quarantined. As of June 27th, the Management Pack has been pulled and will be released again when it is fixed.

If you have already installed this management pack, there are some workarounds to disable the function that is quarantining the mailboxes.

Many organizations want a single user to have multiple email addresses and would like the user to be able to select which email address to send as. In Exchange 2010 (and earlier versions) it's very easy to add multiple email addresses for a user. However, the sending is a problem.

When multiple email addresses have been configured for a user, only one email address can be set as the primary/Reply To address. The primary address is the From address when sending a message. The user cannot select an alternate From address from their list of addresses.

Windows 7 is more secure than Windows XP. That is a good thing. However, it's also annoying when you want to remotely manage a domain joined computer and it's not allowed by default.

Windows Firewall in Windows 7 does not allow remote management even on domain joined computers. You need to create the exceptions that allow remote management of Windows.

You generally want to:

Allow ping. I'd like to see if the computer is up or not.

Connect with Remote Desktop. It's nice to fix up desktop computers without going on site.

Connect with Computer Management. Nice to see event logs remotely without logging on.

Connect to the registry remotely. Nice to do reg edits without logging on locally and bothering the customer.

In SBS 2011, much of this is done automatically by a Group Policy object created during installation. However, if you are using a normal edition of Windows Server then you need make the Group Policy object yourself.

Thursday, July 5, 2012

As part of a performance test for an application at a client, we needed to setup a temporary server running Windows Server 2008 R2 and SQL Server 2005. When you install SQL 2005, it indicates that IIS must be installed. Back in Windows Server 2003 this was easy because IIS was installed as a single lump. Starting in Windows Server 2008, IIS is installed as multiple role services. This makes it difficult to determine which role services are required.

Here is a list of the IIS 7 role services that must be installed for SQL 2005:

Search with Summaries

Search with Full Postings

About Me

A consultant, author, and instructor for about 20 years. My areas of expertise are Windows Server, Exchange Server, and Office 365. While my primary role is a consultant, I also provide technical training (custom and Microsoft authorized). I have been part of a team authoring Microsoft Official Curriculum on Windows Server, Active Directory, and Exchange Server since 2003. I have also authored books for Microsoft Press, Cengage Learning, and Wiley. I was also a Microsoft MVP for Exchange Server/Office 365 (2012-2015).@ByronWrightGeek